Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11Overview of sample Net-Worm.Win32.Kido.ih
Classified as extremely toxic Net-Worms, they have a strong spread attribute through computer networks, their most distinguishing feature is self-replication and spread without the need for user impact . In particular, the worm regularly searches for security holes in system software that runs on connected computers or the Internet, through which they can easily spread and spread to computers. calculated through pre-prepared special packets (collectively referred to as exploits), and the result is that the malicious code of one part or all of this "worm" will enter the victim's computer and automatically Activate their operating modes. Sometimes, these back and forth packets only contain a certain part of the worm, and these pieces of code are responsible for downloading and executing their remaining modules in a different way. On the other hand, some types of worms that spread and spread through networks tend to spread simultaneously, to speed up the replication that they have previously infiltrated into the victim's computer.
According to information from Kaspersky Lab, this sample appeared on February 20, 2009 at 07:04 GMT, officially launched and spread on August 20, 2009 at 19:33 GMT and was discovered at the same time. August 20, 2009 at 14:52 GMT.
Describe technical details
This worm is mainly spread through local network and external storage devices such as USB, portable hard drive . itself is based on Windows PE DLL file system, the general capacity fluctuates within 155KB to 165KB and packed by UPX method.
When installed, they will back up the executable files to the system with random names as follows:
% System% dir.dll
% Program Files% Internet Explorer.dll
% Program Files% Movie Maker.dll
% All Users Application Data% .dll
% Temp% .dll
% System% tmp
% Temp% .tmp
In it are random strings. Next, to ensure that these executable files are activated the next time the system boots, they continue to create Windows startup services and point the links to the above * .exe files. The following registry key is created in this step:
[HKLMSYSTEMCurrentControlSetServicesnetsvcs]
At the same time, they will change the value of the following registry key:
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost]
"netsvcs" = "% System% .dll"
Cloning process
To begin this process, they will 'create' an HTTP server system on any TCP port, then use this port to download the remaining executables to other computers on the same network. . They will acquire the IP addresses of computers in the same network layer as other infected computers, and perform attacks through the MS08-067 vulnerability of the Server service. Specifically, they will send RPC - prepared packets to the controlled computers. This process will cause memory overflow, and a data area will be corrupted when the wcscpy_s functions are invoked in netapi32.dll, and will continue to download the executable files of the worm to the victim's computer. Multiply, and automatically activate them. And this process will continue on the next infected computer.
To exploit the vulnerabilities in the software mentioned above, this worm will find ways to connect to the Administrator account on the controlled computer, and they will use the following passwords to apply. into that account:
99999999
9999999
999999
99999
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
tạm thời
ihavenopass
nothing
nopassword
nopass
Internet
Internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1
9999
999
99
9
11
first
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
twelfth
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
không rõ
anything
letitbe
letmein
domain
access
money
campus
default
foobar
foofoo
temptemp
temp
testtest
kiểm TRA
rootroot
root
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123
Spread through mobile storage devices
When executing the spread through these devices, they will duplicate themselves under the following names:
: RECYCLERS - <% d%> - <% d%> -% d%> -% d%> -% d%> -% d%>. Vmx,
And at the same time, create the following * .inf file on all devices:
: autorun.inf
Whenever the system's Explorer process performs access to the storage device, they are automatically activated and spread.
Learn about Payload method
On the other hand, each time they operate, they will automatically insert the code into the spaces in the system address - svchost.exe is being activated. And this code will provide their main payload function, at the same time:
- Turn off the following services: wuauserv, BITS
- Preventing, blocking access to addresses containing any of the strings listed below:
indowsupdatewilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus
At the same time, they can also download more files from the following paths:
http://// search? q = <% rnd2%>
Where rnd2 is random numbers, and this URL is generated by special algorithms related to the system date and time. In fact, they get information about system time through 1 of the following pages:
- http://www.w3.org
- http://www.ask.com
- http://www.msn.com
- http://www.yahoo.com
- http://www.google.com
- http://www.baidu.com
These files are downloaded and saved in the Windows system directory under their original names.
Ways to remove
If the victim's computer is not updated with the full antivirus program (or worse, there is no security application at all), people should think about using a separate support tool or method. Following craft:
- Find and delete the following registry key:
[HKLMSYSTEMCurrentControlSetServicesnetsvcs]
- Continue to find and delete the % System% .dll value string in the following key:
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvcHost]
"netsvcs"
- Restart the computer
- Delete their original file, depending on the severity of infection or light, the number and location of their spreads are also different
- Also delete their copies at the following directories:
% System% dir.dll
% Program Files% Internet Explorer.dll
% Program Files% Movie Maker.dll
% All Users Application Data% .dll
% Temp% .dll
% System% tmp
% Temp% .tmp
In it is a random string.
- Delete files created in storage devices, for example:
: autorun.inf
: RECYCLERS - <% d%> - <% d%> -% d%> -% d%> -% d%> -% d%>. Vmx,
- Update patches for the operating system in use.
- Always fully update the virus identification database for the security program in use, and also perform periodic system scanning cycles.
- Only use reputable security programs and clear origin, you can learn and refer here.
Micah SotoYou should read it
- Overview of Virus.Win32.Virut.ce malware pattern
- What is Malware HackTool:Win32/Keygen? How to remove?
- Learn about Backdoor.Win32.Bredolab.eua malware
- Dangerous virus attacks the chat program
- Kido virus has a new dangerous variant
- Steps to root Win32 virus: Expiro
- Description of the P2P-Worm.Win32.BlackControl.g template
- Vietnam ranked 8th in the rate of virus infection
May be interested
- PKI Tutorial - Part 4: Troubleshooting
in the previous installments of this series, we gave you an overview of how to prepare, plan and design microsoft pki. in this final section, we will introduce an overview of how to maintain and troubleshoot your pki with some c - What is the OS (Operating System)? Overview of the operating system (OS)computers, tablets, smartphones, or even modern tvs all have operating systems (os) inside. however, there are many people who still use it every day but never know what the operating system is. the following article will introduce an overview of the operating system to help you better understand.
- The sample of the 2019 Tet lucky bag is the most beautiful, most impressive Tet Hoi Hoi 2019this year, the traditional sample of lucky money is still loved by many people, but besides that, the samples have vietnamese players' pictures printed, pig pictures printed, facebook pictures printed, and printed with the face value of vietnamese currency. ... also sought and ordered by many people.
- How to summarize search results with Google Audio Overviewwhen you don't want to scroll through google search results, just create a google audio overview. building on the capabilities of notebooklm, google lets you summarize your results in an engaging podcast format.
- C ++ exercises have solutions (sample code)tipsmake.com has summarized for you some basic c ++ exercises to practice more in the process of learning c ++ programming language.
- What is Node.js? Overview of Node.jsin the previous article tipsmake introduced you to basic information about node.js. to learn more about node.js, read the article what is node.js? tipsmake's overview of node.js below.
- Overview of the interface in Excel 2013, 2016overview of the interface in excel 2013, 2016. the following article helps you understand the overview of the interface in excel 2013, 2016. when you open the excel interface, work as shown.
- STDEV function - The function of estimating standard deviations based on a sample in Excelin the statistical probability of determining the corresponding deviation between samples is very meticulous and detailed, there is still some confusion. the following article details the stdev function that helps you estimate the standard deviation based on an existing sample.
- VAR function - The function of estimating variance based on a sample in Excelvar function: the function performs an estimate of the latter based on a sample from a given set. function arguments can be numbers, names or arrays, or references containing numbers.
- Mainboard, Motherboard is what? Overview of Mainboard on computermainboard or motherboard is a part of the computer that is mentioned a lot. although familiar, but not everyone understands what the mainboard is and its importance. so the following article will introduce you an overview of the mainboard on the computer.
Description of the P2P-Worm.Win32.BlackControl.g template
Learn about Backdoor.Win32.Bredolab.eua malware
Find out about Virus.Win32.Sality.ag template
Dangerous virus attacks the chat program
Description of template Trojan-PSW.Win32.Qbot.mk
Description of Trojan-Banker.Win32.Banz.cri template